Asked by:
Edge server user authentication error

Question
-
Hi experts,
I have deployed the following test configuration:
1. Domain name - moon.local
SIP domain - moon.local
2. Domain Controller, DNS server & Enterprise Certification Authority - ad.moon.local, IP 192.168.10.1
All recuired A and SRV records are created, hopefully as they should be.
3. OCS 2007 Standard Edition Server - fe1.moon.local, IP 192.168.10.2
4. Edge server - DG1 in WORKGROUP - with 3 NIC foir the different interfaces:
4.1. Internal NIC - IP 192.168.10.3, FQDN dg1.moon.local
4.2. External NIC for Access Edge - IP 192.168.50.1, FQDN sip.outside.com
4.3. External NIC for Web Conferencing - IP 192.168.50.2, FQDN web.outside.com
5. No A/V edge server is deployed
6. No Reverse proxy is deployed
7. No Director is deployed
8. All used certificates are issued from the local Enterprise CA
OCS server configuration:
Web Conferencing Edge Server Settings
Internal Port: 8057
External Port: 443
Internal FQDN: External FQDN:
dg1.moon.local web.outside.com
All possible options enabling user access to Web conferencing and IM are set.
OCS server certificate:
SN = fe1.moon.local
SAN = sip.moon.local, fe1.moon.local
Edge server configuration:
Access Edge:
Federation external - 192.168.50.1 : 5061
Remote external - 192.168.50.1 : 443
Internal - 192.168.10.3 : 5061
Next hop - 192.168.10.2 : 5061
Certificate:
SN = sip.outside.com
SAN = sip.outside.com, sip.moon.local, dg1
Web Conferencing Edge:
External - 192.168.50.2 : 443
Internal - 192.168.10.3 : 8057
Certificate:
SN = web.outside.com
SAN = web.outside.com, sip.moon.local, dg1
Internal certificate:
SN = dg1.moon.local
SAN = dg1.moon.local, dg1
The validation of OCS server is successful. All services are runing and can be used internally.
The validation of Edge server fails with the following error:
Diagnose Server -> Check Configuration -> Check user logon -> Attempting to login user using NTLM
Failure [0xC3FC200D] One or more errors were detecte
Maximum hops: 2
Registration timed-out.: User sip:test1@moon.local @ Server sip.outside.com
Suggested Resolution: Use the maximum hop count to determine the server that generated this error. For example, if the maximum hop value is 2, then it is likely that this error was generated by a server that is 1 (immediate target) or 2 hops away. If the target server supplied and the home server for the user are different check the trust relationship between them. If the target server is an access edge server then check whether the internal supported domain list contains the domain of this user. In addition, check the forest-level domain supported list and make sure the user domain is present. Finally, run the dbanalyze tool on the home server to check whether the user is homed and configured correctly.
and
Maximum hops: 2
Failed to register user: User sip:test2@moon.local @ Server sip.outside.com
Failed to send SIP request: An existing connection was forcibly closed by the remote host
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
The Event log of the Edge server contains the following:
1. Warning:
A configured certificate could not be loaded from store. The serial number is attached for reference. Extended Error Code: 0x80092004.
Cause: This could happen if the certificate is not found or if the server has insufficient privileges to read and/or access the store containing the certificate.
2. Error:
Unable to use a certificate as configured
Transport:TLS, IP address:192.168.50.1, Port:5061. Error:0x0xC3E93C0D (SIP_E_STACK_TRANSPORT_CERT_NOT_FOUND).
Cause: The certificate may have been deleted or the configuration is erroneous.
Resolution:
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.
I tried many varians of certificates for the internal and external interfaces of the Egde server - the same error occurred everytime.
Have someone faced such problems? Could someone help me resolve this issue?
Thanks in advance!Monday, June 1, 2009 7:41 AM
All replies
-
What happens when attempting to sign-in externally from Communicator? I've seen stuff like that in the Edge Validation before in an otherwise perfectly working environment, so I've learned to ignore some of the 'failure to register' errors; it depends on if both NTLM and Kerberos are supported in the current configuration.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSTuesday, June 2, 2009 12:52 PMModerator -
Hi Jeff,
When i try to login using The Communicator with Sign-in address: test1@moon.local and Server: sip.outside.com:443, it wants me to enter the name and password so I enter user: moon\test1 and pass: test1 (as it is set in the domain controller), and always says:
"Cannot sign in to Communicator. You may have entered your entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator.".
Wednesday, June 3, 2009 11:40 AM -
Finally I managed to sign-in externally from Communicator. Do not as me how - I do not know what exactly let it happen, I made a lot of changes in the certificates and other settings.
Now another problem has to be resolved - joining externally to a Live Meeting conference initiated from other user. I can successfully create and join existing conference from inside. Live Meeting client always returns the following error message:
Live Meeting cannot connect to the meeting.
Wait a few moments, and then try to join the meeting again.
If you still cannot connect, contact your administrator or technical support.
Is it possible to join a meeting from the outside if no Reverse proxy is installed and configured?Thursday, June 18, 2009 1:35 PM -
Yes, it's possible to connect externally without the Reverse Proxy; the only feature that gives is shared content download form the Web Components service.
Make sure that you have your External Web Farm FQDN populated with at least something, even if you don't have a reverse proxy configured with a valid, resolvable FQDN. If the value is blank then Live Meeting clients can't connect through the Edge server. You could just duplicate the internal FQDN, or pick an FQDN that you end up using at some point.
See this blog article for more details: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSThursday, June 18, 2009 5:03 PMModerator -
Thanks, Jeff!
When I installed the OCS I set as external web farm FQDN sip.outside.com (the same as the external FQDN of the Access Edge server). I did not know what was hiding behind that "external web farm FQDN". Could it be the problem?
I testet successfully all connections with TELNET as advised in the BLOG ARTICLE.
When I start Live Meeting in external PC I see the following errors in the trace file:
06/19/2009|16:30:15.359 4DC:764 INFO :: Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1062) 708 bytes:
06/19/2009|16:30:15.359 4DC:764 INFO :: SIP/2.0 401 Unauthorized
ms-user-logon-data: RemoteUser
Date: Fri, 19 Jun 2009 13:28:49 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname=" fe1.moon.local", version=3
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/ fe1.moon.local", version=3
From: <sip:test@moon.local>;tag=798a3a087b;epid=32c995c617
To: <sip:test2@moon.local;gruu;opaque=app:conf:focus:id:1549994c91034f619d1ba7d857d47857>;tag=9D682A19BAE6A9C3E10FD2AE39064530
Call-ID: a634b03b297344209bdc62ac1ae007b6
CSeq: 1 INVITE
Via: SIP/2.0/TLS 192.168.50.115:1062;ms-received-port=1062;ms-received-cid=1100
Content-Length: 0
06/19/2009|16:30:15.359 4DC:764 INFO :: End of Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1062) 708 bytes
.
.
.
06/19/2009|16:30:15.250 4DC:764 INFO :: Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1060) 442 bytes:
06/19/2009|16:30:15.250 4DC:764 INFO :: SIP/2.0 481 Call Leg Does Not Exist
ms-user-logon-data: RemoteUser
From: <sip:test@moon.local>;tag=59e5788a1e;epid=32c995c617
To: <sip:test2@moon.local;gruu;opaque=app:conf:focus:id:1549994c91034f619d1ba7d857d47857>;tag=4158EA73910F66BAB59D1C37B9C1DEEA
Call-ID: 2a9d2e9c82f14888a4973463b47fbc53
CSeq: 1 CANCEL
Via: SIP/2.0/TLS 192.168.50.115:1060;ms-received-port=1060;ms-received-cid=1000
Content-Length: 0
06/19/2009|16:30:15.250 4DC:764 INFO :: End of Data Received - 192.168.50.1:443 (To Local Address: 192.168.50.115:1060) 442 bytes
And this I found in the Even Log of the Edge Server:
Failed to process data received from the client
Over the past 0 minutes Office Communications Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is "192.168.50.115:1042".
Cause: Failed to process data received from the client
Resolution:
Check and make sure that the connection came from a trustworthy client.
.
.
.
Timed out waiting for client to present validation cookie
Over the past 0 minutes Office Communications Server has disconnected client(s) 1 time(s) because of timing out waiting for cookie to be presented. The last such client which was disconnected is "192.168.50.115:1043"
Cause: This can occur if client does not present a validation cookie within 20 seconds of getting connected
Resolution:
Check to make sure that the connection came from a trustworthy client. This could indicate an attack being mounted by a rogue client.
.
.
.
Server connection failed to establish.
Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090308 (The token supplied to the function is invalid
) while trying to connect to the host "".
Cause: This can occur if the destination is not configured or unreachable from this host.
Resolution:
Check your topology configuration to ensure the destination host can be reached and is a valid Web Conferencing Server configured to accept connections.
Any ideas what could cause problems?
- Edited by Peter Yordanov Friday, June 19, 2009 2:20 PM
Friday, June 19, 2009 2:14 PM